diff --git a/src/main/java/org/etsi/osl/mcp/backend/configuration/McpConfiguration.java b/src/main/java/org/etsi/osl/mcp/backend/configuration/McpConfiguration.java index 87ca06c06c60485a16289fea35de1ea306103b84..b0ce8ff9f3687245fb5b3ee5d4b748981a205dbc 100644 --- a/src/main/java/org/etsi/osl/mcp/backend/configuration/McpConfiguration.java +++ b/src/main/java/org/etsi/osl/mcp/backend/configuration/McpConfiguration.java @@ -1,46 +1,54 @@ package org.etsi.osl.mcp.backend.configuration; +import org.springaicommunity.mcp.security.client.sync.AuthenticationMcpTransportContextProvider; +import org.springframework.ai.mcp.customizer.McpSyncClientCustomizer; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; -import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken; + +import io.modelcontextprotocol.client.transport.customizer.McpSyncHttpClientRequestCustomizer; /** - * @author Daniel Garnier-Moiroux + * MCP Client Configuration for JWT Bearer Token Propagation + * + * Configures the MCP client to forward JWT Bearer tokens from incoming API requests + * to the MCP Server. This enables proper authorization when calling MCP Server tools + * that require authentication. + * + * @author OpenSlice Team */ @Configuration class McpConfiguration { - // Disabled OAuth2 customization for MCP client - not needed for JWT-based API - // The MCP server connection doesn't need OAuth2 authentication - - // @Bean - // McpSyncHttpClientRequestCustomizer requestCustomizer(OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager, - // ClientRegistrationRepository clientRegistrationRepository) { - // var registrationId = findUniqueClientRegistration(clientRegistrationRepository); - // return new OAuth2AuthorizationCodeSyncHttpRequestCustomizer(oAuth2AuthorizedClientManager, registrationId); - // } - - // @Bean - // McpSyncClientCustomizer syncClientCustomizer() { - // return (name, syncSpec) -> syncSpec.transportContextProvider(new AuthenticationMcpTransportContextProvider()); - // } - /** - * Returns the ID of the {@code spring.security.oauth2.client.registration}, if - * unique. + * Configures JWT Bearer token propagation to MCP Server. + * + * When the MCP Backend receives an authenticated request with a JWT Bearer token + * (e.g., from Postman or other REST clients), this customizer extracts that token + * and forwards it to all MCP Server HTTP calls, ensuring proper authorization. */ - private static String findUniqueClientRegistration(ClientRegistrationRepository clientRegistrationRepository) { - String registrationId; - if (!(clientRegistrationRepository instanceof InMemoryClientRegistrationRepository repo)) { - throw new IllegalStateException("Expected an InMemoryClientRegistrationRepository"); - } - var iterator = repo.iterator(); - var firstRegistration = iterator.next(); - if (iterator.hasNext()) { - throw new IllegalStateException("Expected a single Client Registration"); - } - registrationId = firstRegistration.getRegistrationId(); - return registrationId; + @Bean + McpSyncHttpClientRequestCustomizer requestCustomizer() { + return (builder, connectionName, serverUri, endpoint, context) -> { + // Get the current authentication from SecurityContext + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + + // Check if the authentication is JWT-based (from Bearer token) + if (authentication instanceof JwtAuthenticationToken jwtAuth) { + // Extract the JWT token value + String tokenValue = jwtAuth.getToken().getTokenValue(); + + // Add as Bearer token to the outgoing MCP Server request + builder.header("Authorization", "Bearer " + tokenValue); + } + }; + } + + @Bean + McpSyncClientCustomizer syncClientCustomizer() { + return (name, syncSpec) -> syncSpec.transportContextProvider(new AuthenticationMcpTransportContextProvider()); } } \ No newline at end of file